mastodon-web.service 1.2 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253
  1. [Unit]
  2. Description=mastodon-web
  3. After=network.target
  4. [Service]
  5. Type=simple
  6. User=mastodon
  7. WorkingDirectory=/home/mastodon/live
  8. Environment="RAILS_ENV=production"
  9. Environment="PORT=3000"
  10. Environment="LD_PRELOAD=libjemalloc.so"
  11. ExecStart=/home/mastodon/.rbenv/shims/bundle exec puma -C config/puma.rb
  12. ExecReload=/bin/kill -SIGUSR1 $MAINPID
  13. TimeoutSec=15
  14. Restart=always
  15. # Proc filesystem
  16. ProcSubset=pid
  17. ProtectProc=invisible
  18. # Capabilities
  19. CapabilityBoundingSet=
  20. # Security
  21. NoNewPrivileges=true
  22. # Sandboxing
  23. ProtectSystem=strict
  24. PrivateTmp=true
  25. PrivateDevices=true
  26. PrivateUsers=true
  27. ProtectHostname=true
  28. ProtectKernelLogs=true
  29. ProtectKernelModules=true
  30. ProtectKernelTunables=true
  31. ProtectControlGroups=true
  32. RestrictAddressFamilies=AF_INET
  33. RestrictAddressFamilies=AF_INET6
  34. RestrictAddressFamilies=AF_NETLINK
  35. RestrictAddressFamilies=AF_UNIX
  36. RestrictNamespaces=true
  37. LockPersonality=true
  38. RestrictRealtime=true
  39. RestrictSUIDSGID=true
  40. RemoveIPC=true
  41. PrivateMounts=true
  42. ProtectClock=true
  43. # System Call Filtering
  44. SystemCallArchitectures=native
  45. SystemCallFilter=~@cpu-emulation @debug @keyring @ipc @mount @obsolete @privileged @setuid
  46. SystemCallFilter=@chown
  47. SystemCallFilter=pipe
  48. SystemCallFilter=pipe2
  49. ReadWritePaths=/home/mastodon/live
  50. [Install]
  51. WantedBy=multi-user.target